From owner-freebsd-hackers Thu Sep 13 20:11: 8 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 4BFB137B403 for ; Thu, 13 Sep 2001 20:11:02 -0700 (PDT) Received: from NDNM ([195.161.98.250]) by ns.morning.ru (8.11.5/8.11.5) with ESMTP id f8E3ANd45055; Fri, 14 Sep 2001 11:10:24 +0800 (KRAST) Date: Fri, 14 Sep 2001 11:11:10 +0800 From: Igor Podlesny X-Mailer: The Bat! (v1.53d) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <22226074908.20010914111110@morning.ru> To: Giorgos Keramidas Cc: Brian Somers , hackers@FreeBSD.ORG Subject: Re[2]: Checking changes to listening ports in /etc/security In-Reply-To: <20010914015203.A43352@hades.hell.gr> References: <200109132125.f8DLP2d97096@hak.lan.Awfulhak.org> <20010914015203.A43352@hades.hell.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello! I've done similar thing by myself also, cause I have been working with some Linux distros, where it is an usual thing (I mean detection of any listeners changes) and I consider this is useful. But, the idea is slightly different -- my code is being called every minute (cron). It then compares the previous situation and in case of any changes reports about it via e-mail to the root. Actually, the code is quite raw/poor in meaning of its abilities.. for e.g., report with syslog also could have place. Another thing to change is using sort(1)|comm(1) instead of diff(1) cause sometimes the only thing changed is the location of strings in sockstat(1) 's output... Up till now I haven't rewritten it (it works :-) and a lack of time, alas) -- here it is: ====================================================================== #!/bin/sh prevsf=/var/spool/prevsockstat nowsf=/var/spool/nowsockstat if ! [ -e $prevsf ]; then nowsf=$prevsf fi sockstat -f inet -an|grep LISTEN > $nowsf if ! diff $nowsf $prevsf 2>/dev/null 1>&2 ; then hostname=`hostname` mail -s "$hostname listeners changed!" root <<__TEXT__ Date: `date` the difference: ----------------------X-8---------------------------------- `diff $prevsf $nowsf 2>&1 ` ----------------------X-8---------------------------------- the sockstat output: `sockstat -4` __TEXT__ mv -f $nowsf $prevsf fi ====================================================================== As you can see there are lots of places where it could be improved. :) MYBR! > From: Brian Somers > Subject: Re: Checking changes to listening ports in /etc/security > Date: Thu, Sep 13, 2001 at 10:25:02PM +0100 >> I like this idea. I think It would be worth making it diff against >> /dev/null when netstat.today doesn't exist, so that the first time >> this is run on a given machine, you get to see all the ports that are >> open. > Done. I duplicated the code of the second if[] since I could not easily come > up with a version that does not use some kind of shell variable weirdness > and still work the same way. I prefer to keep this clean and easy to > understand. The attached patch makes /dev/null the first argument of diff > when sockstat.today does not exist. >> [.....] >> +[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat >> [.....] >> >> I think this like is bogus. In fact, it looks like the >> $daily_status_security_noamd periodic.conf tunable is broken. >> >> Oops ! I'll fix it after your changes go in. > So far, two people like the change. Since I can't help in making the change > go in, I trust that after checking I did not break anything that I missed in > my tests, you'll either give me a 'go ahead' to send-pr or just commit this > yourself? > -giorgos -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message